[Open-scap] OpenScap Scanner on Windows

Jan Cerny jcerny at redhat.com
Mon Feb 20 08:04:50 UTC 2017 

Hi,

I agree that it would be beneficial for OpenSCAP if we could scan containers
on Debian hosts as well.

Unfortunately, oscap-docker can run now only on RHEL7 and Fedora hosts,
because it depends on Project Atomic. Atomic handles mounting of container's
filesystem to the host's filesystem so that OpenSCAP can access the container.
AFAIK Atomic is not available on Debian.

However there is a kind of hack that enables to bypass it.
It should be possible to mount the filesystem of the container's image
to an arbitrary directory using the standard `mount` command and then use
the `oscap-chroot` utility that can scan arbitrary filesystems.

Regards

Jan Černý
Security Technologies | Red Hat, Inc.

----- Original Message -----
> From: "Brandon Westover" <Brandon.Westover at ellucian.com>
> To: rsprudencio at redhat.com, open-scap-list at redhat.com
> Sent: Thursday, February 16, 2017 4:24:18 PM
> Subject: Re: [Open-scap] OpenScap Scanner on Windows
> 
> Great!
> 
> I forgot to ask, but is there any support for oscap-docker under anything
> other than RHEL?
> https://www.open-scap.org/resources/documentation/security-compliance-of-rhel7-docker-containers/
> 
> I tried to search but couldn't really find anything, but was hoping that I
> could pull up Ubuntu or similar with Docker to scan containers/images.  I
> think we are using Debian in prod as our container host, so running the
> scans from that would be very beneficial.
> 
> Thanks in advance.
> 
> -----Original Message-----
> From: Raphael Sanchez Prudencio [mailto:rsprudencio at redhat.com]
> Sent: Thursday, February 16, 2017 9:33 AM
> To: Westover, Brandon <Brandon.Westover at ellucian.com>;
> open-scap-list at redhat.com
> Subject: Re: [Open-scap] OpenScap Scanner on Windows
> 
> Hello Brandon,
> 
> We are starting some efforts to make it work properly on Windows, it will be
> probably tracked here
> https://github.com/OpenSCAP/openscap/projects/1
> 
> Kind Regads
> 
> On 02/15/2017 06:35 PM, Westover, Brandon wrote:
> > Are there any plans to have Openscap scanner on Windows?  I would
> > prefer a command line option for Windows versus the GUI Workbench app
> > as we're looking to automate this.
> > 
> >  
> > 
> > 
> > 
> > _______________________________________________
> > Open-scap-list mailing list
> > Open-scap-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/open-scap-list
> > 
> 
> --
> Raphael Sanchez Prudencio
> Security Technologies | Red Hat, Inc.
> 
> _______________________________________________
> Open-scap-list mailing list
> Open-scap-list at redhat.com
> https://www.redhat.com/mailman/listinfo/open-scap-list
>

More information about the Open-scap-list mailing list